Spotlight on China's hackers after accusations against PLA unit 61398

Since Mandiant, a US information technology security firm, sparked controversy by blaming a special unit of the People's Liberation Army for launching a series of cyberattacks on US companies, the shadowy world of hackers in China has been in the spotlight. Their activities have become a focal point of Sino-US relations.

As in the West, hackers are mostly young men fascinated by information technology. But hackers in China are somewhat different to those in other countries.

Hong Kong writer and political commentator Joe Chung's controversial views have made him a target for mainland hackers. "In China hackers are left alone by the central government as long as they direct their attacks against foreign targets," he said. "In that case, they are allowed much greater freedom than would be the case in Western countries, where hacking is illegal, and the law is more strictly enforced."

China has quite a number of "patriotic hackers", who believe they can use their skills in support of their beliefs. When there is tension between China and the US, they lend their support to the nation by attacking targets in the US. In May 2001, when a US spy plane and a Chinese jet collided, killing the Chinese pilot, hackers responded by invading the White House website with a denial-of-service attack that swamped it with hits from a legion of zombie browsers on hijacked computers.

Japanese sites and the sites of Taiwan independence groups have also been hacked and defaced. The 2008 Olympics brought another wave of attacks. When CNN's Jack Cafferty called China's leaders thugs and goons Chinese hackers attacked CNN.

Patriotic hackers belong to loose alliances such as the hongke or Red Hacker group. They see themselves as champions of political values and use their skills to attack their political enemies. One young hacker told me of his excitement at being able to lurk in the virtual space of the White House for a few seconds at a time before security surveillance software blocked him out. When asked why he did this, he said: "The US is our enemy."

Another community is at Isbase.com. They say they do not support the infiltration of financial and educational websites in China, but they don't prohibit attacking similar websites in other countries. And because China does not appear to strictly enforce the law when it comes to attacks on foreign networks, it is even harder for the US and other affected countries to react. Even when US security agencies can track down specific individuals, it's very unlikely that an extradition would take place, given the present state of Sino-US relations.

Indeed, China's general response is simply to deny it is involved in hacking, and claim it's impossible to prove where the hacking is coming from. But that doesn't prevent it from claiming it is being hacked by the US.

Apart from strategic economic and military assets, targets of state-sponsored hackers include "enemies of China" such as the Dalai Lama and Tibetan exiles. They also include internal enemies such as dissident writers.

Hackers' services are often advertised on discussion forums. According to Zhang Kehuan, assistant professor at the Chinese University of Hong Kong, who researches cybersecurity, Chinese hackers exchange information and software tools for hacking on bulletin boards.

The Chinese word for hacker is heike, which means dark guest, and hackers like to operate in the twilight of anonymity. Their tracks can be covered using software such as Tor. Nevertheless, hackers can leave traces, and some have been tracked down. Joe Stewart, a US internet security expert, identified one hacker because he was a car enthusiast and through his business activities. One hacker left clues in a blog in which he describes his work (see below).

According to cyberwarfare researcher Scott Henderson hackers tend to be more careful these days. They co-ordinate through private messaging rather than blogs or websites, leaving no public record of their activities. Henderson, who mapped the network of Chinese hacker websites and forums in 2004, said there were 380,000 people logged on at any one time. Of course, not all of them are experts, some are wannabes looking to learn the tools of the trade, or new recruits, as they are referred to on one of China's largest hacking sites, The Green Army.

Not all cyberwarriors take the home hobbyist route. Some are computer science graduates recruited and trained by the military. One advertisement for the now notorious PLA unit 61398 on a Zhejiang University site read: "The graduate school has received notice that unit 61398 of China's People's Liberation Army (located in Pudong district, Shanghai) seeks to recruit 2003-class computer science graduate students. Students who sign the service contract will receive a 5,000 yuan per year national defence scholarship. After graduation, students will work in the same field within the PLA."

Zina Yung, chief computer officer at the Hong Kong University of Science and Technology's department of computer science, says hackers are constantly scanning the university computer network ports for security weaknesses. Most attacks are easily defended, but some are sophisticated. Yung believes the aim is "to take control of the university network and use it to launch attacks on more important targets". Most attacks are from Russia, Africa and mainland China.

"Many hackers are simply young people who find hacking tools online and enjoy playing with this technology. Young people can find all the hacking software they need and detailed instructions on exactly how to use it online" says Yung.

Yung is referring to programs which contain just about every known security vulnerability, scripts to probe networks for vulnerabilities and Trojans to exploit them. Online tutorials show how to use these tools, step by step. They are free to download, because they have legitimate uses for testing network security. Today's hackers are a generation who have grown up with personal computers. With programs like this, anyone can be a hacker.